infoTECH Feature

The Flaws of UPnP Exposed: Security Experts Say Disable it

Warning! Universal Plug and Play, or UPnP, may enable simple and robust connectivity to stand-alone devices, but it does not implement its own authentication and authorization mechanism or provide security against hackers.

UPnP is an open, industry standard that has replaced PnP and uses Internet protocols to enable consumer electronic networking devices, appliances (wired and wireless) and developed applications to have their presence discovered automatically, without configuration or a user’s intervention.

For security reasons, the U.S. Department of Homeland Security (DHS) has raised concerns on this communications protocol; it warns UPnP users to disable it (if possible); along with restricting networking protocols and ports, to include the Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOAP) services, as there is a risk for millions of users’ hardware components of being exposed to common network bugs.

The security team at Rapid7, a provider of security risk intelligence solutions, in a white paper released this week, provided insight on what they discovered: Their research revealed that between 40 and 50 million network-enabled devices can potentially be compromised remotely as a result of programming bugs in common UPnP implementations.

Like other bugs in networking systems, this security flaw for UPnP makes hardware and software components vulnerable to attacks by hackers, declared Rapid7; it cautioned users to be aware that they could be prone to malware, denial-of-service (DoS) attacks and, worse, lose control remotely of one or more hardware devices as a result of one’s identity and password being compromised.

By default, UPnP is enabled on many networking equipments. If possible, disable it!

Users are advised to use UPnP at their own risk, or acquire the extension of the UPnP specification called UPnP-UP (Universal Plug and Play - User Profile), which can help manage user profiles and control access to UPnP-enable devices and applications. Otherwise, they should consider disabling UPnP altogether as DHS recommends, as it could lead to exploitable vulnerabilities.

This news on UPnP should raise a red flag for millions of networking end users. Even though the standard makes it an efficient means for machines to discover each other's presence, using it could trigger a severe security risk, warns DHS, Rapid7 and the CERT Coordination Center.

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, happening now in Miami, Florida. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.

Meet Your Big Data Storage Needs: CoraidAs businesses collect more and more data, they will require storage capabilities that are easily and secure, accessible, and quickly scalable for pure storage as well as data analytics.

Managing Your Data and Apps in Multi-Cloud Environments: Right ScaleBusinesses have reached beyond education and are starting to make signifcant cloud computing deployments, which means they need an awareness of public and private resources, which to deploy in what instances, and how to manage and maintain applications across both domains.

Enabling Cross-border Data Center Connectivity: InterxionOne of the challenges for multinational enterprises is establishing connectivity between infrastructure located on different continents. The Transatlantic Data Center Alliance helps overcome many of these challenges, including regulatory and compliance needs.